Add Credentials in Bomgar Vault
Bomgar Vault is a system designed to help you manage your credentials. You can easily store, rotate, and use credentials to access systems, platforms, and applications that are critical to your organization.
Add Credentials to Vault
- Go to Credentials > Credentials.
- Click the New Credential button.
Step 1 - Basic information
Note: As you walk through the add and edit processes for credentials, you can click on the steps to navigate between different sections.
This section allows you to add preliminary information about the credential, including credential type and credential policy association.
- Choose a credential type from the dropdown.
- Select a credential policy for the credential. Once a credential policy is selected, more configuration options appear.
- Choose the Integration access type: Restricted or Shared.
Restricted: Restricted credentials are named such because they must be associated with a specific endpoint. This means the credentials can only be used to access endpoints for which they have been assigned. Read the examples below, then follow steps 4-8 to associate the credential with a specific endpoint or endpoint group.
- When an integration between Bomgar Vault and Bomgar Remote Support exists, the Bomgar representative console offers the representative restricted credentials for use when attempting to access an endpoint for which they are assigned.
- When an integration between Bomgar Vault and Bomgar Privileged Access exists, the Bomgar access console offers the privileged user restricted credentials for use only when attempting to access an endpoint to which they have been assigned.
Shared: Shared credentials are named such because they lack an endpoint restriction, allowing them to be used to access multiple endpoints without being explicitly assigned to that endpoint. Read the examples below, then skip to step 10 to finish inputting the basic information for the credential.
- When an integration between Bomgar Vault and Bomgar Remote Support exists, the Bomgar representative console offers these credentials for any endpoint a representative attempts to access.
- When an integration between Bomgar Vault and Bomgar Privileged Access exists, the Bomgar access console offers these credentials for any endpoint a privileged user attempts to access.
Note: Vault Go! customers can select only the Shared option.
Note: If you are a Vault Go! user, you do not need to configure endpoints in your instance.
- Choose if the credential is used for Service Rotation, Integration, or both by checking the corresponding box(es).
- Choose to add an Existing endpoint or to create a New endpoint by selecting the appropriate radio button.
- Select which list to display, Endpoints or Endpoints Groups.
- From the Unassigned list, select the endpoint(s) or endpoint group(s) you wish to associate with the new credential.
- Click Accept to assign the selected endpoint(s) or endpoint group(s) to the credential. The Create Endpoint dialog box closes.
- Type in a Credential Description.
- Type in the:
- Username - user name for the credential.
- Password - password for the credential.
- Confirm Password - re-enter the password.
Note: You may see more or fewer configuration options appear based on the type of credential or credential group you select.
- At this point, you can add your credential to Vault by clicking Create. If you would like to configure more rules, policies, and permissions for your credential, click Advanced.
The following steps provide additional options you can configure for your credential, including automatic rotation rules, check out policies, and more.
Step 2 - Permissions
This section allows you to set permissions on the credential by designating which users and applications can access this credential.
- Answer the following questions for your organization:
- Who should be notified when these credentials are used?
- Who is allowed to check out these credentials?
- Who is allowed to rotate these credentials?
- Can applications use these credentials?
- Review the Inherited list. See which, if any, permissions were inherited from the credential group.
- Once you have identified the answers to the questions and reviewed the inherited permissions, choose whether you wish to assign permissions based on individual users, user groups, or both.
- To assign permissions based on user level, click on the name of the user in the Users list. Then click > to move the user into the Assigned list.
- To assign permissions based on user group level, click on the name of the user group in the Groups list. Then click on the arrow to move the user group into the Assigned list.
- Click Save to save the permissions settings for the credential, or click Next to proceed to Automation Rules settings.
Step 3 - Automation rules
This section allows you to set whether the credential is active or inactive and to enable or disable automatic validation and rotation of the credential.
- In the Active field, select Yes to activate the credential or No to set the credential as inactive.
Note: If a credential is set as inactive, the automation rules settings will not take effect until the credential is activated.
- Do you want to enable automation on this credential? Choose to set automation as Enabled or Disabled for the credential. If Enabled is selected, additional options appear:
- Automatically validate this credential every - Set automatic validation intervals in numbers of hours or days.
- Automatically rotate this credential every - Set automatic rotation intervals in numbers of days.
- Restart Services - Check the box to automatically rotate and restart services associated with the credential, and then enter a time that the credential is rotated and services restarted.
- When rotating the credential, use - Select Server or IP to specify which should rotate the credential.
- Is this account allowed to rotate other credentials? Select Yes to allow or No to disallow the credential to rotate other credentials.
Step 4 - Check out policy
This step allows you to set parameters for checking out the credential.
- Select whether the credential can be checked out by Vault users only, by applications integrated with Vault only, or by both systems.
- Indicate if multiple users can check out the credential at the same time.
- Decide if approval is required before the credential can be checked out.
- If No is selected, click Next to proceed to the next step.
- If Yes is selected, more fields become visible, allowing you to configure settings for the approval process.
- Choose how Vault handles the check out request if approval is not granted by selecting Approve or Reject, and indicate the time in hours Vault waits before taking the selected action. The time can be set between 1 and 24 hours.
- Choose the Vault user(s) who should approve or reject the use of the credential by clicking the name(s) in the Users list, then clicking the > arrow to add them to the Assigned list.
- Choose the Vault user group(s) who should approve or reject usage of the credential by clicking the name(s) in the Groups list, then clicking the > arrow to add them to the Assigned list.
Note: If the credential is associated with a credential policy, users and user groups associated with that policy automatically populate in the Inherited list as approvers.
- Choose if Vault users with permission to see the credential are allowed to skip approval to check out the credential in a "Break the Glass" emergency scenario.
- If Yes is selected, also indicate who should be notified when approval is skipped in a "Break the Glass" event: System administrators, Credential administrators, and/or Credential owner.
- Click Next.
Step 5 - Check in policy
This step allows you to set parameters for checking in the credential.
- Select if the credential must be rotated when checked back in.
- If you selected Yes for the previous question, choose which account must rotate the credential.
- This credential will rotate itself - the credential will rotate itself without any intervention by a user.
- This credential will use a "Manager" account - the credential must be rotated by a user with a credential manager role.
- If you choose to rotate the credential using a manager account, specify which account to use. Click the Load button to the right of the Select the account that will rotate the credential field. The manager dialog box appears.
- Search for the desired manager account using the Credential, Description, or Type fields and click Search.
- Choose the manager account from the search results and click Accept.
- Click Finish to save the new credential and settings.
New Credentials - Bulk Insert
- To add multiple credentials simultaneously, go to Credentials > Credentials.
- Click the Bulk Insert button.
- Click the Download Sample CSV button.
- CSVs are the method of choice for uploading multiple credentials in Bomgar Vault. The sample CSV outlines exactly what information should be included and the format it should follow.
- Review the sample CSV.
- Click the What Fields Can I Import button.
- This section outlines the exact fields you can include in your CSV and a description of what information must be provided in the fields.
- For validation, Vault runs a check to verify that all information on the CSV was entered correctly. If any information is not properly formatted, an error message appears listing the errors. Correct the errors listed and re-save the CSV file, then click the Validate File button.